EXECUTIVE SUMMARY:
Cisco has disclosed a medium-severity open redirect vulnerability CVE-2026-20123 in the web-based management interfaces of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure that could allow an unauthenticated, remote attacker to redirect a user to a malicious external web page. This flaw stems from improper validation of user-supplied HTTP request parameters in the affected interfaces. Successful exploitation requires the victim to follow a crafted URL and could facilitate phishing or other malicious activities. The vulnerability has a CVSS v3.1 base score of 4.3, reflecting network reachability with low complexity but requiring user interaction. A wide range of versions of both products are affected, including Cisco EPNM 8.0 and earlier , 8.1 and Cisco Prime Infrastructure 3.9 and earlier, 3.10 .
RECOMMENDATION:
We strongly recommend you update Cisco EPNM to version 8.1.1 and Cisco Prime Infrastructure to version 3.10.6 Security Update 2.
REFERENCES:
The following reports contain further technical details: